cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
siemple
Level 7
Report Inappropriate Content
Message 1 of 3
‎06-26-2013 01:50 PM

Regex in a Dynamic Watchlist

Jump to solution

I have been attempting to build a watchlist with some test regex for a use case.  Ultimately, we'd like to use a watchlist with a regex string to detect certain variable URL patterns normally associated with malicious traffic.  For many of these threats, regex is readily available from security sites.

I've created a test watchlist and an accompanying alarm.  I've yet to have a succesful hit, so I'm attempting to troubleshoot.  When reading the ESM documentation covering watchlists, I found the following:

6.Select the type of data this watchlist will be watching for by clicking on the down arrow in the Type field.

embim1  When searching by string, the search will not be filtered by the type selected; all matching strings will be returned. Specifying a type simply assigns the search results to a field type, allowing the watchlist to be used throughout the system (i.e.,  filters or alarms).

I believe that this means that the regex is run against the entire packet, should there be a positive match it will then so a positive result for the alarm that triggers off a "field match."  Is that correct?  My fear is that the regex is actually only being run on the "Type" field on the event, and if that's the case, it limits the usefulness of regex watchlisting to only those fields.

Is there possibly an example of building a dynamic watchlist that I can adapt for our needs?

Also, is there a character limit to the "search:" field?

Message was edited by: siemple on 6/27/13 4:53:18 PM CDT
0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
staschler
Level 13
Report Inappropriate Content
Message 3 of 3
‎09-28-2014 04:55 PM

Re: Regex in a Dynamic Watchlist

Jump to solution

Regex in a dynamic watchlist is not run against the packet.  It's run against the string table, which includes all parsed data elements of type "string".  A subtle difference, but important. 

the regex search will return all matching strings (regardless of type), and place them in the list.  The watchlist has a data type associated to it...in a sense you will be typecasting all the matching strings to the type you've defined for your Watchlist. 

View solution in original post

Reply
2 Replies
Highlighted
rhinomike
Level 9
Report Inappropriate Content
Message 2 of 3
‎09-27-2014 04:03 PM

Re: Regex in a Dynamic Watchlist

Jump to solution

Would you know the answer for this question?

0 Kudos
Reply
Highlighted
staschler
Level 13
Report Inappropriate Content
Message 3 of 3
‎09-28-2014 04:55 PM

Re: Regex in a Dynamic Watchlist

Jump to solution

Regex in a dynamic watchlist is not run against the packet.  It's run against the string table, which includes all parsed data elements of type "string".  A subtle difference, but important. 

the regex search will return all matching strings (regardless of type), and place them in the list.  The watchlist has a data type associated to it...in a sense you will be typecasting all the matching strings to the type you've defined for your Watchlist. 

View solution in original post

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC